App Store Rejection - Guideline 5.1.2 - Legal - Privacy - Data Use and Sharing

Question

I use Firebase for user authentication, I just resubmitted my app and got the following rejection:

Guideline 5.1.2 - Legal - Privacy - Data Use and Sharing

We noticed you do not use App Tracking Transparency to request the user's permission before tracking their activity across apps and websites. The app privacy information you provided in App Store Connect indicates you collect data in order to track the user, including Other Diagnostic Data, Audio Data, Performance Data, Crash Data, Product Interaction, Phone Number, User ID, Emails or Text Messages, Photos or Videos, and Search History.

Starting with iOS 14.5, apps on the App Store need to receive the user’s permission through the AppTrackingTransparency framework before collecting data used to track them. This requirement protects the privacy of App Store users.

Next Steps

Here are two ways to resolve this issue:

You can remove the tracking functionality from your app and update your app privacy information in App Store Connect.

If you decide to continue tracking users, you must implement App Tracking Transparency and request permission before collecting data used to track the user or device.

My app has no ads but I have to track users throughout the app using their userID so that I know what post belongs to which user etc etc.

If the user declines the prompt AppTrackingTransparency isn't that basically saying that I can no longer track them? I have no idea what to do here.

Here are the Privacy checkboxes that I filled out. Apparently i can change something but I don't know what to change.

Same issue here. We don’t do add tracking but apparently since we ask for their email, and use Crashlytics, we need to prompt them with the request. Doesn’t seem like my expectation of this lines up with what was presented from the App Store. I’m not able to track retention anymore? I think I’m about to go out of business or I have to focus only on revenue. I think the big companies won here. — user3792132, May 02 '21 at 04:51
@user3792132 hey what's up, I resubmitted and got approved. I posted the answer below. Hopefully it helps you out also — Lance Samaria, May 02 '21 at 19:53
What if you track users just for internal analytics then you have to put up the prompt? And if the users declines do you have to delete their account? — Curtis, Jun 04 '21 at 20:33
I never checked analytics in the questionnaire so I don’t know. This is an Apple issue that they aren’t clear about. — Lance Samaria, Jun 04 '21 at 20:39

Lance Samaria · Accepted Answer · 2021-05-07T06:59:52.600

21

I resubmitted my app and it got approved. Seems the key is to make sure it is only Used for App Functionality.

To make that happen I made these changes to the App Policy page in App Store Connect.

I clicked the blue Edit button next to each policy. Of the 10 policies, here are 4 red arrows next to 4 of the Edit buttons. Click each one for the same results for steps two, three, and four.

After clicking the Edit button, you will be presented with a screen with a bunch of selections, for that screen all I did was check App Functionality:

For the 2nd screen, I selected No, user IDs collected from this app are not linked to the user's identity.

For the 3rd screen I selected No, we do not use phone numbers for tracking purposes. Notice on the 3rd screen, under Definitions and Examples, it says:

Tracking does not apply in the following situations:

• When the data broker uses the data shared with them solely for fraud detection or prevention or security purposes

Here is a screen shot with it in purple underline:

Here are how all of my Privacy Policies look now:

Here is the email approval:

edited May 07 '21 at 06:59

answered May 02 '21 at 19:52

Lance Samaria

17,576
18
108
256

6

So you don't ever look at user statistics to measure the effectiveness of your features? – Curtis Jun 04 '21 at 20:31
3

I might be wrong, but the way I read the answer it seems to me you're avoiding at all cost Apple's official guidelines looking for the loophole in order to submit the app. Guidelines are there for some reason, and we can get into a big mess if they're not followed. As said before, I hope your app's purpose is for App functionality for all data types, however, be careful the rest of users, that's not a solution for everyone, it is a solution for a particular app and its context. – GoRoS Mar 15 '22 at 19:53
@GoRoS In one sentence you say that I’m avoiding the guidelines by using a loophole. In the next sentence your saying that it is a solution for a particular app and it’s context. If that’s the case then I’m not avoiding the guidelines. You could’ve said everything that you said, without throwing stones at me. – Lance Samaria Mar 15 '22 at 20:18
@LanceSamaria I just said what it seemed to me, not judging anyone. Only you can assure whether you're complying them or not. From the outside it seemed a bit strange to make so many changes from your first app privacy approach to get the approval, nothing more. I just wanted to point out the risk for other users of copy pasting blindly your solution to get an app approved. Each particular app is different and its privacy policies should be evaluated and treated as is. – GoRoS Mar 15 '22 at 21:49
@GoRoS my first app policy was the first time I ever implemented the policies. I had no idea what I was doing so I just picked whatever made sense to me. As I dig deeper I realized that I had no ads and I don’t look at any of the analytics for that particular app. So in that particular situation I only needed needed the options for app functionality. Anyhow, enjoy your day and Happy Coding! – Lance Samaria Mar 15 '22 at 21:52
@LanceSamaria I think that doesn't matter what you do. The question is if the Firebase Authentication department is considered a data processor or a data controller. My understanding is: If it's a data controller, then you are sharing data. If Google is then using this data to track, which you should assume, you literally giving false information to Apple. – Martin Braun Jul 11 '23 at 20:44
@LanceSamaria On the flip side: If Firebase Authentication is a data processor, it means that you will need a Data Processing Agreement (DPA) which should be a signed contract between you and Google, so that you can hold them accountable by law, as well as being protected yourself, if they treat the data of your users irresponsible. – Martin Braun Jul 11 '23 at 20:44
@MartinBraun Honestly this was so long ago I barely remember. – Lance Samaria Jul 12 '23 at 04:02

App Store Rejection - Guideline 5.1.2 - Legal - Privacy - Data Use and Sharing

1 Answers1

Linked